Changeset 2150

Timestamp:

13/02/07 09:56:51 (14 years ago)

Author:

pjkersha

Message:

python/ndg.security.server/ndg/security/server/ca/init.py:

• Get CA directory from OpenSSLConfig.caDir property
• re-written chkCAPassphrase so that it uses M2Crypto code rather than a system call to

openssl.

python/ndg.security.common/ndg/security/common/openssl.py: rewritten OpenSSLConfig class
to use SafeConfigParser?. This required an override to allow OpenSSL config file style
querks.

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/openssl.py (modified) (7 diffs)
• ndg.security.server/ndg/security/server/ca/__init__.py (modified) (4 diffs)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/openssl.py

@@ -14 +14 @@
 
 import re, os
+from ConfigParser import SafeConfigParser
 
 #_____________________________________________________________________________        
@@ -21 +22 @@
 
 #_____________________________________________________________________________        
-class OpenSSLConfig(object):
+class OpenSSLConfig(SafeConfigParser, object):
     """Wrapper to OpenSSL Configuration file to allow extraction of
     required distinguished name used for making certificate requests
     
-    @cvar __reqDnRE: regular expression pattern for locating required
-    distinguished name from the config file
-    
+    @type _certReqDNParamName: tuple
     @cvar _certReqDNParamName: permissable keys for Distinguished Name
     (not including CN which gets set separately).  This is used in __setReqDN
-    to check input"""
-    
-    __reqDnRE = '\[\s*req_distinguished_name\s*\].*\['
-   
+    to check input
+    
+    @type _caDirPat: string
+    @cvar _caDirPat: sub-directory path to CA config directory
+    @type __gridCASubDir: string
+    @cvar __gridCASubDir: sub-directory of globus user for CA settings"""
+    
     _certReqDNParamName = ('O', 'OU', '0.organizationName',
                             '0.organizationalUnitName')
+    
+    _caDirPat = re.compile('\$dir')
+    
+    __gridCASubDir = os.path.join(".globus", "simpleCA")
 
     
@@ -44 +50 @@
         @param filePath: path to OpenSSL configuration file"""
         
-        # Content of file
-        self.__fileTxt = None
+        SafeConfigParser.__init__(self)
+        
         self.__reqDN = None
         self.__setFilePath(filePath)
+
+        # Set-up CA directory
+        if not os.environ.get('HOME'):
+            raise SimpleCAError, "Environment variable \"HOME\" is not set"
+        
+        self.__caDir = os.path.join(os.environ['HOME'], self.__gridCASubDir)
 
             
@@ -79 +91 @@
                         fset=__setFilePath,
                         doc="file path for configuration file")
-    
-    def __getFileTxt(self):
-        """Get content of file in call to getReqDN
-        @rtype: string
-        @return: content of file"""
-        return self.__fileTxt
-    
-    def __setFileTxt(self, input):
-        """Set content of file
-        @type input: string
-        @param input: content of  file."""
-        if input is not None and not isinstance(input, basestring):
-            raise AttributeError, "File text must be string or None type"
-        
-        self.__fileTxt = input
-    
-    
-    fileTxt = property(fset=__setFileTxt,
-                       fget=__getFileTxt,
-                       doc="Content of SSL file")
+
+            
+    def __setCADir(self, caDir):
+        """Set property method
+        @param caDir: path for OpenSSL configuration file"""
+        if filePath is not None:
+            if not isinstance(caDir, basestring):
+                raise OpenSSLConfigError, \
+                    "Input OpenSSL CA directory path must be a string"
+
+            try:
+                if not os.access(caDir, os.R_OK):
+                    raise OpenSSLConfigError, "not found or no read access"
+                                         
+            except Exception, e:
+                raise OpenSSLConfigError, \
+                    "OpenSSL CA directory path is not valid: \"%s\": %s" % \
+                    (filePath, str(e))
+                    
+        self.__caDir = caDir
+                    
+
+    def __getCADir(self):
+        """Get property method
+        @type caDir: string
+        @return caDir: directory path for CA configuration files"""
+        return self.__caDir
+
+    caDir = property(fget=__getCADir,
+                     fset=__setCADir,
+                     doc="directory path for CA configuration files")
 
 
@@ -106 +129 @@
         @return reqDN: Distinguished Name for certificate request"""
         return self.__reqDN
+
 
     def __setReqDN(self, reqDN):
@@ -128 +152 @@
                      doc="Distinguished Name for certificate request")
     
-       
     def read(self):
-        """Read OpenSSL configuration file and parse certificate request
-        Distinguished Name settings"""
-
+        """Override base class version to avoid parsing error with the first
+        'RANDFILE = ...' part of the openssl file.  Also, reformat _sections 
+        to allow for the style of SSL config files where section headings can 
+        have spaces either side of the brackets e.g. 
+        [ sectionName ] 
+        
+        and comments can occur on the same line as an option e.g. 
+        option = blah # This is option blah
+        
+        Reformat _sections to """
         try:
-            self.__fileTxt = open(self.__filePath).read()
+            file = open(self.__filePath)
+            fileTxt = file.read()
         except Exception, e:
             raise OpenSSLConfigError, \
                 "Error reading OpenSSL config file \"%s\": %s" % \
                                                     (self.__filePath, str(e))
+
+        idx = re.search('\[\s*\w*\s*\]', fileTxt).span()[0]
+        file.seek(idx)
+        SafeConfigParser.readfp(self, file)
+        
+        # Filter section names and reomve comments from options
+        for section, val in self._sections.items():
+            newSection = section
+            self._sections[newSection.strip()] = \
+                                    dict([(opt, self._filtOptVal(optVal))
+                                          for opt, optVal in val.items()])
+            del self._sections[section]
+       
+        self._setReqDN()
+
+    
+    def _filtOptVal(self, optVal):
+        """For option value, filter out comments and substitute $dir with
+        the CA directory location"""
+        return self.__class__._caDirPat.sub(self.__caDir,
+                                            optVal.split('#')[0].strip())
+
+
+    def readfp(self, fp):
+        """Set to not implemented as using a file object could be problematic
+        given read() has to seek ahead to the first actual section to avoid
+        parsing errors"""
+        raise NotImplementedError, "Use read method instead"
         self._parseReqDN()
 
 
-    def _parseReqDN(self):
-        """Parse Required DN parameters from the configuration file returning
+    def _setReqDN(self):
+        """Set Required DN parameters from the configuration file returning
         them in a dictionary
         
@@ -150 +209 @@
         # Nb. Match over line boundaries
         try:
-            reqDnTxt = re.findall(self.__reqDnRE, self.__fileTxt, re.S)[0]
-
-            # Separate lines
-            reqDnLines = reqDnTxt.split(os.linesep)
-            
-            # Match the '*_default' entries and make a dictionary
-            #
-            # Make sure comment lies are omitted - P J Kershaw 22/07/05
-            self.__reqDN = dict([re.split('_default\s*=\s*', line) \
-                                 for line in reqDnLines \
-                                 if re.match('[^#].*_default\s*=', line)]) 
+            self.__reqDN = \
+            {
+                'O': self.get('req_distinguished_name', 
+                              '0.organizationName_default'),
+                'OU': self.get('req_distinguished_name', 
+                               '0.organizationalUnitName_default')
+            }
         except Exception, e:
             raise OpenSSLConfigError, \
-                "Error parsing content of OpenSSL config file \"%s\: %s" % \
+            'Error setting content of Distinguished Name from file "%s": %s'%\
                                                     (self.__filePath, str(e))

TI12-security/trunk/python/ndg.security.server/ndg/security/server/ca/__init__.py

@@ -31 +31 @@
 
 # Certificate request generation
-from M2Crypto import X509, RSA, EVP, m2
+from M2Crypto import X509, BIO, RSA, EVP, m2
 
 # For parsing of properties file
@@ -56 +56 @@
     @cvar __validKeys: valid configuration property keywords used in file
     and keyword input to __init__ and setProperties()
-    
-    @type __gridCASubDir: string
-    @cvar __gridCASubDir: sub-directory of globus user for CA settings
     
     @type __gridCAConfigFile: string
@@ -152 +149 @@
 
 
-        # Set-up CA directory - use in chkCAPassphrase()
-        if not os.environ.get('HOME'):
-            raise SimpleCAError, "Environment variable \"HOME\" is not set"
-        
-        if 'openSSLConfigFilePath' not in self.__prop:        
-            self.__openSSLConfig.filePath = os.path.join(os.environ['HOME'], 
-                                                   self.__gridCASubDir,
+        # Make config file path default setting if not already set 
+        if 'openSSLConfigFilePath' not in self.__prop:
+            self.__openSSLConfig.filePath = os.path.join(\
+                                                   self.__openSSLConfig.caDir,
                                                    self.__gridCAConfigFile)
             self.__openSSLConfig.read()
@@ -377 +371 @@
 
 
-    #_________________________________________________________________________
-    def chkCAPassphrase(self, caPassphrase=None):
+    def chkCAPassphrase(self, caPassphrase=None):        
+        
+        if caPassphrase is None:
+            caPassphrase = self.__caPassphrase
+        else:
+            if not isinstance(caPassphrase, basestring):
+                raise SimpleCAPassPhraseError, \
+                                    "CA Pass-phrase must be a valid string"
+                                    
+        try:
+            priKeyFilePath = self.__openSSLConfig.get('CA_default', 
+                                                      'private_key')
+            priKeyFile = BIO.File(open(priKeyFilePath))
+            
+        except Exception, e:
+            raise SimpleCAError, \
+                        "Reading private key for pass-phrase check: %s" % e
+        try:    
+            RSA.load_key_bio(priKeyFile,callback=lambda *ar,**kw:caPassphrase)
+        except:
+            SimpleCAPassPhraseError, "Invalid pass-phrase"
+            
+            
+    #_________________________________________________________________________
+    def OldchkCAPassphrase(self, caPassphrase=None):
         """Check given pass-phrase is correct for CA private key